On Tue, Feb 24, 2015, Stephan M?hlstrasser wrote:
>> Do I understand it correctly then that "a local configuration of
> OCSP signing authority" here means that it is a deliberate choice
> inside OpenSSL itself to look for the OCSPSigning flag in the
> extended key usage of the root CA, although RFC 2560 does not say
> so?
>
No it's a separate thing called a "trust setting" which is not part of the
certificate itself . This is something which has to be explicitly configured
to trust that root CA for OCSPSigning.
It's OpenSSL's version of the trust settings you see in browsers.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org